How OMG QA keeps your quality data safe, isolated, and auditable. This page mirrors what the platform actually does β per-organization database isolation, encrypted secrets, a tamper-evident audit log, scoped API keys and passwordless authentication β and lists every subprocessor we rely on.
Every organization gets its own dedicated database (database-per-tenant, ADR-0008). The database is the isolation boundary — one tenant can never read another's data.
Connector secrets are encrypted at rest; all traffic is served over TLS. Evidence files live in private object storage, reachable only through short-lived signed URLs.
Every action — by a person or an agent — is recorded in an append-only, hash-chained audit log. Any mutation, insertion or deletion breaks the chain and is detectable. Entries carry the actor and a correlation id for review.
API keys are project-scoped by default — bound to a single project — and granted exactly the permission scopes they need, never a blanket role. An agent or integration can only see and act on the one project it was issued for; cross-project access is rejected on the server. Granting a key the whole workspace is a deliberate, broader choice.
Sign-in is a one-time passcode emailed to the user, with request throttling and lockout — there are no long-lived passwords to phish or leak.
Agent writes can run read-only or behind a human-approval queue, with per-agent rate limits. Automation accelerates the work but never gets unchecked authority.
Owners can delete their workspace self-serve from Workspace settings: deletion is scheduled with a retention window (cancellable), then verifiably erased with a deletion receipt (tenant data eraser, DSR-style deletion).
Owners and admins can export the entire organization on demand — findings, comments, history, and a bulk evidence manifest — as a portable document, re-import it, and run a verifiable offboarding. Your data is yours to take with you.
Each organization can pin its data to a residency region, chosen at creation and changeable by an org admin. We currently offer:
GET /api/v1/organizations/region). Routing each region to a region-local data plane
is an operations rollout in progress β see the engineering note in
docs/legal/data-residency.md. Where processing crosses borders, transfers rely on the
Standard Contractual Clauses incorporated into our DPA.
We engage the third-party subprocessors below to deliver the service. The authoritative source is a
machine-readable register β also available at GET /api/v1/trust/subprocessors β so you
can watch for changes programmatically.
Last updated 2026-06-01.
| Subprocessor | Purpose | Data | Regions |
|---|---|---|---|
|
MongoDB Atlas
MongoDB, Inc.
|
Primary data store — per-organization isolated database (ADR-0008) holding findings, projects, audit log and other tenant records. | Customer content, Account metadata, Audit records | us, eu |
|
Microsoft Azure
Microsoft Corporation
|
Cloud hosting and Azure Blob Storage for evidence attachments (screenshots, traces, video) accessed via short-lived SAS URLs (ADR-0006). | Customer content, Evidence files | us, eu |
|
Cloudflare
Cloudflare, Inc.
|
Edge network, TLS termination and DDoS protection for the marketing site and application origin. | Network metadata, IP addresses | global |
|
Stripe
Stripe, Inc.
|
Payment processing and subscription billing (optional — used only for paid plans checked out via Stripe). | Billing contact, Payment metadata | global |
|
Paddle
Paddle.com Market Ltd.
|
Merchant of record, payment processing and subscription billing (optional — used only for paid plans checked out via Paddle). | Billing contact, Payment metadata | global |
|
PayPal
PayPal, Inc.
|
Payment processing for subscriptions (optional — used only for paid plans checked out via PayPal). | Billing contact, Payment metadata | global |
Current version [email protected], effective 2026-06-01. Available to all customers. Read the DPA β
For international transfers, the EU SCCs (and UK Addendum) are incorporated into the DPA. Read the SCCs β
OMG QA β Capture Every Finding. Fix Faster.
Documentation Β· API Reference Β· MCP Guide Β· Home